Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
Windows 11
Windows 11 22H2 no longer supports Software Restriction Policies (SRP)
Message
<blockquote data-quote="Andy Ful" data-source="post: 1026412" data-attributes="member: 32260"><p>There are several ways of blocking LOLBins. They were discussed many times on MT (including Exploit Protection tweaks):</p><ol> <li data-xf-list-type="ol">SRP, AppLocker, WDAC (MDAC).</li> <li data-xf-list-type="ol">Image File Execution Options (Debugger tweak).</li> <li data-xf-list-type="ol">Exploit Protection (another Image File Execution Options tweak) - it can be done via Security Center.<br /> In some cases, additional mitigations can be needed to block the LOLBin.</li> <li data-xf-list-type="ol">Explorer Policies (user dependent).</li> <li data-xf-list-type="ol">Special policy for Windows Script Host.</li> <li data-xf-list-type="ol">Special policy for CMD (user dependent).</li> </ol><p>In my applications, I commonly use SRP, Exploit Protection (bitsadmin.exe in FirewallHardening), and Windows Script Host policy. The most comprehensive are methods from points 1 and 5 (especially WDAC).</p><p>SRP (Applocker) is most useful, because scripting LOLBins (CMD and Windows Script Host) and MSI Installer can be selectively whitelisted for some files.</p><p></p><p>Blocking LOLBins is easy, but I do not recommend this method without knowing how to find the info about blocked processes. In the case of Exploit Protection, this can be partially done via Event Id=26 (Application Popup).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1026412, member: 32260"] There are several ways of blocking LOLBins. They were discussed many times on MT (including Exploit Protection tweaks): [LIST=1] [*]SRP, AppLocker, WDAC (MDAC). [*]Image File Execution Options (Debugger tweak). [*]Exploit Protection (another Image File Execution Options tweak) - it can be done via Security Center. In some cases, additional mitigations can be needed to block the LOLBin. [*]Explorer Policies (user dependent). [*]Special policy for Windows Script Host. [*]Special policy for CMD (user dependent). [/LIST] In my applications, I commonly use SRP, Exploit Protection (bitsadmin.exe in FirewallHardening), and Windows Script Host policy. The most comprehensive are methods from points 1 and 5 (especially WDAC). SRP (Applocker) is most useful, because scripting LOLBins (CMD and Windows Script Host) and MSI Installer can be selectively whitelisted for some files. Blocking LOLBins is easy, but I do not recommend this method without knowing how to find the info about blocked processes. In the case of Exploit Protection, this can be partially done via Event Id=26 (Application Popup). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
